This article helps to resolve an error with "Your SharePoint admin doesn't allow site collection admins to update app permissions. Please contact your SharePoint tenant administrator" when trusting app principal permissions for executing background actions.
This error is related to the Microsoft security update, only tenant administrators can create or update ACS service principal by default.
The SharePoint tenant administrator should allow the site collection admin to register an app or assign permissions with SiteOwnerManageLegacyServicePrincipalEnabled property and set the value to True
To check SiteOwnerManageLegacyServicePrincipalEnabled property value, you could run simple PowerShell Command:
Connect-SPOService -Url https://domain-admin.sharepoint.com
Get-SPOTenant | Select-Object SiteOwnerManageLegacyServicePrincipalEnabled
Connect-SPOservice - will ask for Credentials to connect to SharePoint Online by Url to admin center. Please use Global Admin credentials.
Get-SPOtenant | Select-Object - will get tenant property and it's value.
In a result screenshot above value of SiteOwnerManageLegacyServicePrincipalEnabled property is set to False which means that site owners are not able to register/update applications.
To change this behavior you can use another simple PowerShell command Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true. This will change the value for the property and should be done only once.
Connect-SPOService -Url https://domain-admin.sharepoint.com
Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
Connect-SPOservice - will ask for Credentials to connect to SharePoint Online by Url to admin center. Please use Global Admin credentials.
Set-SPOTenant - will set SiteOwnerManageLegacyServicePrincipalEnabled tenant property to true. This will allow site owners to register/update applications.
If you get the following error message:
Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
Set-SPOTenant : A parameter cannot be found that matches parameter name 'SiteOwnerManageLegacyServicePrincipalEnabled'.
At line:1 char:15
+ Set-SPOTenant -SiteOwnerManageLegacyServicePrincipalEnabled $true
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-SPOTenant], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Online.SharePoint.PowerShell.SetTenant
please update to the latest SharePoint Online Management Shell version using the following command:
Install-Module Microsoft.Online.SharePoint.PowerShell -force
Note: Global admin credential should be used to connect to SharePoint Online and get/set SiteOwnerManageLegacyServicePrincipalEnabled property